Saturday, July 29, 2006

Self Asserted Identity

On the Identity Gang Mailing List, there was a recent discussion about identity claims, signatures, and business agreements. The issue of self asserted identity and whether or not it would be acceptable in business transactions came up...

Today, most internet ecommerce transactions take place using self-asserted identity. I, the user, select my own username and password that is used to identify me to the web site. I, the user, provide my identity data such as name, address, and phone number. I, the user, even provide them with the credit card information used in the transaction.

One might assert that when I use my Discover Card for a transaction, that Discover is actually asserting the data and that's why it's accepted for the transaction. In fact, this is not the case. When I use my card to make a purchase at say Amazon it is Amazon who is on the hook for the transaction value should I later tell discover that I didn't partake in the transaction.

So, when Amazon accepts my Discover Card for a transaction, it is a self asserted transaction that they have chosen to accept because they want to do business with me and because they have put in place fraud detection techniques that make them comfortable with the transaction.

Much of what we do in the world today is done using self-asserted identies, we should embrace and continue support for that model as we evolve this identity system of the future. At the same time, we should provide means to protect the user from misuse of their self-asserted identities and to protect relying parties from the same.